Method and base chip for monitoring the operation of a microcontroller unit

ABSTRACT

To enable a method and a base chip ( 200 ) for monitoring, by means of at least one base chip ( 200 ), the operation of at least one microcontroller unit ( 300 ) that is intended for at least one application and is associated with a system ( 100 ) to be further developed in such a way a reset of the microcontroller unit ( 300 ) only takes place under defined conditions, it is proposed that a reset (R) of the microcontroller unit ( 300 ) is caused if at least one special sequence, and particularly at least one drive or access sequence assigned to the reset operation (R), is applied to the base chip ( 200 ).

The present invention relates to a method of monitoring the operation ofat least one microcontroller unit, that is intended for at least oneapplication and is associated with a system, by means of at least onebase chip, and particularly a system base chip.

The present invention further relates to a base chip, and particularly asystem base chip, for monitoring the operation of at least onemicrocontroller unit that is intended for at least one application, andto an associated system, and particularly a control system.

In modern-day control units, in automobile electronics for example, itis no longer usual for use to be made of permanently preprogrammedmicrocontrollers because the fixed preset program means thatmodifications cannot then be made in the course of ongoing volumeproduction or by the end-customer.

Motor-vehicle manufacturers are therefore increasingly going over to thepractice of using so-called volatile memories or flash memories in themicrocontrollers; volatile memories of this kind allow the program codeto be overwritten at any time, which can be done both in production andin a repair shop, as part of an inspection say.

The fact that in automobile electronics systems are increasingly beingfitted with flash memories of this kind makes it possible for thesoftware of the control unit to be replaced even “in the field”, i.e. ina car repair shop for example. In this way, motor vehicles can bemodified even after delivery if faults are found in the software, thusenabling ongoing improvements to be made in the quality of the vehicles.

To thus enable the software in the program memory to be overwritten in amicrocontroller unit, functions are normally incorporated in themicrocontroller unit that ensure that the software is not accidentallyoverwritten while the motor vehicle is operating. For knownmicrocontroller units, at least one hardware reset is required to enablethe flash memory to be overwritten via certain signals at the terminalsof the microcontroller unit.

In existing control units, there is always a problem in this connectionin triggering the hardware reset mentioned without making alterationsdirectly at the control unit. The control unit is usually difficult ofaccess and therefore cannot be reset easily.

In the prior art, the existing monitoring module or “watchdog” (aconfigurable timer having a clock-signal derived from an independentsource) is often used to trigger the hardware reset. What the term“watchdog” is generally understood to mean in this connection is atechnique that is used to monitor devices, connections or softwarecyclically. If a piece of software is no longer following the orderedpath laid down by the software, the watchdog is intended to reset themicrocontroller and in this way to restore the running of the program toits planned course.

To trigger the hardware reset, a command to this effect is sent to thecontrol unit that is to undergo reprogramming over the vehicle's serialbus system, which may be a C[ontroller] A[rea] N[etwork] bus, forexample. The control unit then interrupts the regular access to thewatchdog unit and this, after the overrun, causes a reset to occur.

However, something that is felt to be a disadvantage with this procedureis that the overrun of the watchdog unit always has to be waited forbefore the control unit can be changed over to the programming mode.Also, it is not easy for the control unit to tell whether the reset isintended to cause entry into a flash programming mode or whether itmeans that there is some other problem in the control unit in this case.

The same disadvantage exists when the flash programming has beencompleted, because a fresh hardware reset is then required and thisagain can only take place as a result of an overrun by the watchdogunit. In this case too, an unnecessarily large amount of time is wasteduntil the watchdog unit “times out”.

In existing schemes for control units, there is also a requirement, forsafety reasons, for at least one hardware signal to be altered at thecontrol unit in such a way that the programming mode is enabled. Forthis too, direct access to the control unit is required, and inmodern-day motor vehicles, due to the cramped space available, this isalmost impossible.

Something else that is felt to be a very definite problem is enablingthe watchdog unit to continue operating while the control unit is beingflash programmed. The flash programming routines are time-intensive, andbecause of this it may no longer be possible under certain circumstancesfor the watchdog unit to be operated to the usual close tolerances.

Taking the disadvantages and shortcomings described above as a point ofdeparture and with due allowance for the prior art outlined, it is anobject of the present invention so to further develop a method of thekind detailed in the first paragraph and a base chip of the kinddetailed in the second paragraph that a reset of a microcontroller unitassociated with the system only takes place under defined conditions.

This object is achieved by a method having the features specified inclaim 1 and by a base chip having the features specified in claim 5.Advantageous embodiments and useful refinements of the present inventionare described in the respective sets of dependent claims.

The present invention is therefore based on providing at least onesystem base chip giving defined flash-mode support, in such a way that areset of the microcontroller unit is caused when at least one specialsequence, and particularly at least one drive or access sequenceassigned to resetting, is applied to the base chip.

Under the teaching of the present invention, it is therefore proposedthat there be provided, in a system base chip that, by theimplementation of at least one monitoring module, also comprises awatchdog function, a mode that allows a hardware reset, that is to say areset of the hardware, to be triggered deliberately.

In accordance with the invention, this intentional hardware reset isonly triggered when a special sequence, and particularly at least onedrive or access sequence assigned to resetting, is fed to the systembase chip, in order in this way to prevent the reset from beingtriggered accidentally. This sequence replaces the hardware signalprescribed in the prior art that would be needed directly at the controlunit, that is to say the microcontroller unit. This makes it possible toavoid the need for direct access to the control unit, and this in turnallows the control unit to be fitted at any desired point.

In a particularly inventive embodiment, it is proposed that this, as itwere, forced reset be made known to the application. For this purposeand in line with the history, it is advantageously indicated in at leastone register, and particularly in at least one reset source register,that the reset event was triggered by the special sequence to the systembase chip. In this way, it is possible for the software to directlydetect that the flash memory unit clearly has to be reprogrammed.

In a preferred embodiment of the present invention, it is proposed that,after a successful special sequence and after a reset was taken place,there be a single opportunity of going to a separate mode, andparticularly a separate flash mode, for the system base chip. Thisspecial mode allows the system to continue being used as in the normalmode, but use to be made of simplified watchdog triggering.

In this way, the watchdog cycle can be adjusted to the existing flashprogramming routines without jeopardizing the safety or reliability ofthe system in the normal mode. During the flash programming, operationscan therefore take place with the monitoring module in a so-called“time-out” mode (meaning that triggering must always occur without agiven time, though early triggering is permitted) whereas in normaloperation use is made of the so-called “window” mode (basically the sameas the time-out mode but early triggering is not permitted; the windowhas to be hit and this makes more stringent demands on the software).

To enable another forced reset to be effected without any waiting timeafter flash programming has taken place, it is proposed that during theflash mode a different watchdog code may advantageously be used foraccess to the system base chip, which code may for example betransmitted to the system base chip via the serial interface unit, viasay an SPI (serial peripheral interface).

If the flash mode is to be exited, use is preferably made of the normalwatchdog access code, which is not permitted during the flash mode andthus produces an immediate system reset. In this case too, the resetsource register once again provides the software with the appropriateinformation to allow the start-up of the software to be controlled asrequired.

To re-enter the flash mode, the fail-safe sequence has to be sent to thesystem base chip again. If the flash mode is not activated after thesequence and after the reset has taken place, access to the flash modeis usefully barred until such time as the fail-safe sequence is againsent to the system base chip.

Finally, the present invention relates to the use of a method of thekind described above and/or of at least one base chip of the kinddescribed above for monitoring the operation of at least onemicrocontroller unit intended for at least one application, inautomobile electronics and particularly in the electronics of motorvehicles.

As has already been described above, there are various possible ways inwhich the teaching of the present invention may advantageously beembodied and refined. On the one hand, reference can be made in thisconnection to the claims dependent on claims 1 and 5, and on the other,further aspects, features and advantages of the present invention areapparent from and will be elucidated with reference to the illustrativeembodiment shown in FIGS. 1 and 2 and described hereinafter.

In the drawings:

FIG. 1 is a block diagram of an embodiment of a system according to thepresent invention having a base chip and a microcontroller unit; and

FIG. 2 is a block diagram of an embodiment of flow chart for the methodaccording to the present invention.

Shown diagrammatically in FIG. 1 is a control system 100 that, as wellas a microcontroller unit 300 having a supply unit 310 (providing theVDD supply), a reset unit 320 and an I[nput]/O[utput] module 330, alsohas a so-called S[ystem] B[ase] C[hip] 200 that comprises a monitoringmodule (10) (=a watchdog unit) for monitoring the operation of themicrocontroller unit 300, the said microcontroller unit 300 beingintended for an application.

Because the system chip 200 allows a distinction to be made betweendifferent reset events and the different events to be made accessible tothe application microcontroller 300, the system chip 200 has a resetsource register 20 that is provided to allow for different reset events,and a reset unit 40 (for system resets) that is connected to themicrocontroller unit 300 by a connection 42 (going to the reset unit 320of the microcontroller unit 300).

To allow information and signals to be exchanged, the monitoring module10 and the reset source register 20 have inserted in front of them aninterface unit 30 (feeding the I[nput]/O[utput] module 330 of themicrocontroller unit 300).

As is also apparent from what is shown in FIG. 1, the monitoring module10 and a microcontroller supply unit 50 that is connected to themicrocontroller unit 300 by a connection 52 have permanently associatedwith them at least one battery unit 400. Whereas the monitoring module10 receives a permanent supply from the battery 400, the microcontrollersupply unit 50 can be switched on and off by means of a switch 54, thusenabling a temporary energy supply to be associated with themicrocontroller unit 300 via the microcontroller supply unit 50(supplying the VDD supply unit 310 of the microcontroller unit 300).

The hardware basics of the system 100 according to the present inventionhaving thus been elucidated, the diagram in FIG. 2 now shows, in chartform, a typical embodiment of flow for a method according to the presentinvention.

This method is performed by means of the system base chip 200 that, bymeans of a special (access) sequence, is able to “deliberately” triggera hardware reset R of the system 100. For this purpose, the system basechip 200 makes it known in the prescribed reset source register 20 thatthe hardware reset R is being performed deliberately, in order in thisway to inform the software of why the hardware reset R has been carriedout; the transition to an appropriate routine is made possible in thisway.

This special sequence ensures that the hardware reset R is not beingcarried out unintentionally, which is indicated in FIG. 2 by the enquiryroutine [b] that leads from the normal mode of operation N of themicrocontroller unit 300 to the hardware reset R. Under this enquiryroutine [b], a check is made to see whether the special sequence hasbeen successfully transmitted, whereupon a special module of operationS, namely a flash mode, of the microcontroller unit 300 is permitted.

In line with this, the system base chip 200 allows the special mode ofoperation (=the flash mode S in this case), in which the watchdog accesscan take place in a simplified manner, to be activated once after theaccess sequence and after the reset R has taken place. What happens inthis case is that the microcontroller unit 300 activates the specialmode of operation S, namely the flash mode, permission having been givenfor the flash mode (see FIG. 2: enquiry routine [c] from hardware resetR to flash mode (time-out watchdog) S).

During the special mode, namely the flash mode S, use is made of aspecial trigger code, namely a flash watchdog trigger code under enquiryroutine [d] that differs from the normal watchdog trigger code underenquiry routine [a], to ensure that the software will run the correctroutine.

If a different or incorrect watchdog trigger code is then used duringthe special mode of operations, the flash mode will be embargoed (seeFIG. 2: enquiry routine [e] from flash mode (time-out watchdog) S tohardware reset R), and the system base chip will at once trigger anotherhardware reset R; the reset source register 20 is set accordingly andthe special mode S is exited in this way.

Also, the enquiry routine [f] leading from the hardware reset R to thenormal mode of operation N of the microcontroller unit 300 indicatesthat the microcontroller unit 300 activates the normal mode of operationN, which is equivalent to an embargo on the special mode of operation S,namely the flash mode of the microcontroller unit 300.

So, to sum up, it can be said that the system 100 shown in FIG. 1 andthe method shown in FIG. 2 are designed to monitor the operation of amicrocontroller unit 300 that is intended for an application and isassociated with a system 100, by means of a system base chip 200.

In so doing, use is made of a function that enables a fail-safepreviously input mode of operation of the system base chip 200 to beimplemented, which in turn permits an intended hardware reset for theapplication, both at the beginning and at the end of the said mode ofoperation. This function thus allows an optimum flash-memory programmingmode to be implemented within the system base chip 200 during atriggering of the watchdog.

LIST OF REFERENCE NUMERALS

-   100 System, in particular a control system-   10 Monitoring module, in particular a watchdog unit-   12 Connection between monitoring module 10 and register unit 20-   20 Register unit, in particular a reset source register-   24 Connection between register unit 20 and reset unit 40-   30 Interface unit-   32 Connection, in particular a signal line, between interface unit    30 and microcontroller unit 300-   40 Reset unit-   42 Connection between reset unit 40 and microcontroller unit 300-   50 Supply unit-   52 Connection between supply unit 50 and microcontroller unit 300-   54 Switch of supply unit 50-   200 Base chip, in particular a system base chip-   300 Microcontroller unit, in particular an application    microcontroller-   310 Supply unit for microcontroller unit 300-   320 Reset unit for microcontroller unit 300-   330 I[nput]/O[utput] module of microcontroller unit 300-   400 Battery unit-   N Normal mode of operation of microcontroller unit 300-   R Reset of microcontroller unit 300-   S Special mode of operation, in particular a flash mode, of    microcontroller unit 300

1. A method of monitoring the operation of a microcontroller unit thatis intended for at least one application and is associated with asystem, by means of a base chip, particularly a system base chip,characterized in that: causing a reset of the microcontroller unit if areset condition is detected, wherein the reset condition is transmissionof at least one special sequence, particularly at least one drive oraccess sequence assigned to the reset operation, to the base chip andthe reset of the microcontroller unit is confirmed under an enquiryroutine by checking whether the at least one special sequence has beensuccessfully transmitted to the base chip; activating a special mode ofoperation, particularly a flash mode of the base chip, once after thecheck has been made to see whether the special sequence has beensuccessfully applied and after the reset operation, by allowing access amonitoring module that is associated with the base chip to take place ina manner which is simplified in comparison with the normal mode ofoperation of the microcontroller unit; supplying a permanent energysupply from a battery unit to the monitoring module; and switching amicrocontroller supply unit of the base chip to enable or disable atemporary energy supply from the battery unit to the microcontrollerunit.
 2. A method as claimed in claim 1, characterized in that: furthercomprising: during the special mode of operation, using a specialtrigger code or a special trigger signal for the monitoring module thatis different from the normal mode of operation; and causing a freshreset of the microcontroller unit using the normal trigger code or thenormal trigger signal, to enable the special mode to be exited again. 3.A method as claimed in claim 1, further comprising: making a distinctionbetween reset events that differ in relation to the operation of themicrocontroller unit; and logging said different reset events and makingsaid different reset events known in at least one register unit usingdifferent register entries.
 4. A base chip, particularly a system basechip, for monitoring the operation of a microcontroller unit that isintended for at least one application, characterized by: a reset unitfor resetting the microcontroller unit, which reset unit is connected tosaid microcontroller unit, wherein a reset of the microcontroller unitis caused if a reset condition is detected, wherein the reset conditionis transmission of at least one special sequence, particularly at leastone drive or access sequence assigned to the reset operation, to thebase chip and the reset of the microcontroller unit is confirmed underan enquiry routine by checking whether the at least one special sequencehas been successfully transmitted to the base chip; a microcontrollersupply unit connected to the microcontroller unit, wherein themicrocontroller supply unit is permanently associated with a batteryunit; a switch connected to the microcontroller supply unit, wherein theswitch is configured to switch the microcontroller supply unit to enableor disable a temporary energy supply from the battery unit to themicrocontroller unit; and a monitoring module that is associated withthe microcontroller unit, wherein a special mode of operation,particularly a flash mode of the base chip, can be activated once afterthe check has been made to see whether the special sequence has beensuccessfully applied and after the reset operation, by allowing accessto the monitoring module to take place in a manner which is simplifiedin comparison with the normal mode of operation of the microcontrollerunit, wherein the monitoring module is permanently associated with thebattery unit so that the monitoring module receives a permanent energysupply from the battery unit.
 5. A base chip as claimed in claim 4,further comprising: at least one register unit configured to allow fordifferent reset events, to log and make known different reset eventsusing different register entries.
 6. A base chip as claimed in claim 5,characterized in that: the monitoring module is triggerable inparticular by means of at least one interface unit; or to distinguishbetween the particular accesses to the monitoring module, differentreset events can be marked by different trigger codes or triggersignals.
 7. A base chip as claimed in claim 6, characterized in thatthere is provided between the monitoring module and the microcontrollerunit at least one signal line for transmitting at least one trigger codeor trigger signal that differs from the normal mode of operation of themicrocontroller unit.
 8. A system, and particularly a control system,characterized by at least one microcontroller unit intended for at leastone application and by at least one base chip as claimed in claim
 4. 9.Use of a method as claimed in claim 1 for monitoring the operation of atleast one microcontroller unit intended for at least one application, inthe electronics of motor vehicles.
 10. The use of a method as claimed inclaim 9, wherein the at least one application includes automobileelectronics.
 11. Use of at least one base chip as claimed in claim 4 formonitoring the operation of at least one microcontroller unit intendedfor at least one application, in the electronics of motor vehicles. 12.The use of at least one base chip as claimed in claim 11, wherein the atleast one application includes automobile electronics.